Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: No-Exec Stack Smashing 101
From: Crispin Cowan (crispinWIREX.COM)
Date: Wed Apr 26 2000 - 14:01:32 CDT

"Granquist, Lamont" wrote:

> Okay, lets say that you've got:
> 1. non-exec stack
> 2. libc remapped to location with 0x00 in it
> 3. statically linked executable, so no PLT functions
> And assume the bug is a simple buffer overflow in a string function which
> terminates on a 0x00 (i.e. ignore for the moment ways around a 0x00
> "canary")
> How can you get around that? Is there a more general way around non-exec
> stacks than return-into-PLT exploits?

It's 2 step:

  1. Inject your payload (code to do "exec(sh)" or equivalent) into some
     heap or static buffer (call it X). Note that you do *not* have to
     overflow buffer X, just give it a string that happens to be native
  2. Overflow the vulnerable buffer and point the code pointer at X.

Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
                  JOBS! http://immunix.org/jobs.html